[OpenID] UCI Idea: An iPhone OP (?)

Paul Madsen paulmadsen at rogers.com
Wed Mar 3 17:03:40 UTC 2010 

Hi David, FYI, NTT built something like you describe for SAML SSO - 
specifically the scenario you list below in #4

http://www.projectliberty.org/liberty/content/download/3960/26523/file/NTT-SASSO%20liberty%20case%20study.pdf

paul

On 3/3/2010 11:33 AM, David Fuelling wrote:
> Wondering what people think about using as an iPhone (or Android/etc) 
> application as a personal OP.
>
> Basically, the way it would work is as follows:
>
>    1. Go to RP, get prompted with a login form.
>    2. Turn on iPhoneOP application on your iPhone.
>          1. iPhone App turns on lighttpd (or some other ultra-small
>             web server) to serve web requests from the phone and act
>             as an OP.
>          2. iPhone App then connects to a DDNS service that connects
>             the phone's current IPV6 address to the OP domain.
>          3. The iPhone is now the user's OP.
>    3. User signs into the RP, which then does the OpenID dance with
>       the OP running on the user's iphone.
>    4. The user could login via the web, or optionally just
>       get prompted on the phone that a login is occurring - the user
>       could then accept the login and/or enter a security code (in
>       case of a lost iPhone).
>    5. User is logged-into the RP.
>    6. iPhone App turns off.
>
> Some initial thoughts I've had:
>
>    1. Could this take us a lot closer to a user-centric identity?
>        Imagine if this software was built into the phone (so you
>       didn't have to run an App to make it work).
>    2. Something like this would be interesting from a multi-auth
>       perspective.  On the one hand, it could preclude the need for
>       mulit-auth because a person could turn off his OP when the app
>       isn't running (thus ensuring no RP logins without the
>       phone....mostly -- see some security drawbacks below).
>    3. Alternatively, it could provide one multi-auth solution in that
>       an RP could be required to get an assertion from a "regular" OP
>       and a user-centric OP (like the iPhone) before allowing access.
>
> Security Drawbacks (?)
>
>    1. The user should trust his/her DDNS provider because somebody at
>       that provider could change the IP address hooked up to the
>       domain backing the iPhoneOP (without the knowledge of the user).
>        However, this is an issue with current OPs (the rogue employee
>       problem).  Either could be mitigated with multi-auth.
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>    
>
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 9.0.733 / Virus Database: 271.1.1/2720 - Release Date: 03/03/10 02:34:00
>
>    
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20100303/d1f562d1/attachment.htm>

More information about the general mailing list